Vulnerabilities > CVE-2019-10130 - Improper Access Control vulnerability in Postgresql
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3972-1.NASL description It was discovered that PostgreSQL incorrectly handled partition routing. A remote user could possibly use this issue to read arbitrary bytes of server memory. This issue only affected Ubuntu 19.04. (CVE-2019-10129) Dean Rasheed discovered that PostgreSQL incorrectly handled selectivity estimators. A remote attacker could possibly use this issue to bypass row security policies. (CVE-2019-10130). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 125025 published 2019-05-14 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125025 title Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : postgresql-10, postgresql-11, postgresql-9.5 vulnerabilities (USN-3972-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3972-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(125025); script_version("1.4"); script_cvs_date("Date: 2020/01/17"); script_cve_id("CVE-2019-10129", "CVE-2019-10130"); script_xref(name:"USN", value:"3972-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : postgresql-10, postgresql-11, postgresql-9.5 vulnerabilities (USN-3972-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that PostgreSQL incorrectly handled partition routing. A remote user could possibly use this issue to read arbitrary bytes of server memory. This issue only affected Ubuntu 19.04. (CVE-2019-10129) Dean Rasheed discovered that PostgreSQL incorrectly handled selectivity estimators. A remote attacker could possibly use this issue to bypass row security policies. (CVE-2019-10130). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3972-1/" ); script_set_attribute( attribute:"solution", value: "Update the affected postgresql-10, postgresql-11 and / or postgresql-9.5 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10130"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postgresql-10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postgresql-11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postgresql-9.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/30"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|18\.10|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 18.10 / 19.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"postgresql-9.5", pkgver:"9.5.17-0ubuntu0.16.04.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"postgresql-10", pkgver:"10.8-0ubuntu0.18.04.1")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"postgresql-10", pkgver:"10.8-0ubuntu0.18.10.1")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"postgresql-11", pkgver:"11.3-0ubuntu0.19.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "postgresql-10 / postgresql-11 / postgresql-9.5"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202003-03.NASL description The remote host is affected by the vulnerability described in GLSA-202003-03 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, bypass certain client-side connection security features, read arbitrary server memory, alter certain data or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-03-19 modified 2020-03-13 plugin id 134470 published 2020-03-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134470 title GLSA-202003-03 : PostgreSQL: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 202003-03. # # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(134470); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/18"); script_cve_id("CVE-2019-10129", "CVE-2019-10130", "CVE-2019-10164", "CVE-2020-1720"); script_xref(name:"GLSA", value:"202003-03"); script_name(english:"GLSA-202003-03 : PostgreSQL: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-202003-03 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, bypass certain client-side connection security features, read arbitrary server memory, alter certain data or cause a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/202003-03" ); script_set_attribute( attribute:"solution", value: "All PostgreSQL 9.4.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-9.4.26:9.4' All PostgreSQL 9.5.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-9.5.21:9.5' All PostgreSQL 9.6.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-9.6.17:9.6' All PostgreSQL 10.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-10.12:10' All PostgreSQL 11.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-11.7:11' All PostgreSQL 12.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-12.2:12'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:postgresql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/26"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-db/postgresql", unaffected:make_list("ge 9.4.26", "ge 9.5.21", "ge 9.6.17", "ge 10.12", "ge 11.7", "ge 12.2"), vulnerable:make_list("lt 9.4.26", "lt 9.5.21", "lt 9.6.17", "lt 10.12", "lt 11.7", "lt 12.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PostgreSQL"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1810-1.NASL description This update for postgresql10 fixes the following issues : Security issue fixed : CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034). CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689). Bug fixes: For a complete list of fixes check the release notes. - https://www.postgresql.org/docs/10/release-10-9.html - https://www.postgresql.org/docs/10/release-10-8.html - https://www.postgresql.org/docs/10/release-10-7.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126618 published 2019-07-11 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126618 title SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2019:1810-1) NASL family Databases NASL id POSTGRESQL_20190509.NASL description The version of PostgreSQL installed on the remote host is 9.4.x prior to 9.4.22, 9.5.x prior to 9.5.17, 9.6.x prior to 9.6.13, 10.x prior to 10.8, or 11.x prior to 11.3. It is, therefore, affected by multiple vulnerabilities. - A remote code execution vulnerability exists in both, the BigSQL and the EnterpriseDB Windows installers due to the installers not locking down the permissions of the PostgreSQL binary installation directory and the data directory. An authenticated, local attacker can exploit this, to cause the PostgreSQL service account to execute arbitrary code. (CVE-2019-10127, CVE-2019-10128) - A memory disclosure vulnerability exists in the partition routing component. An authenticated, remote attacker can exploit this, via the execution of a crafted INSERT statement to a partitioned table to disclose memory contents. (CVE-2019-10129) - A security bypass vulnerability exists in the core server. An authenticated, remote attacker can exploit this, via the execution of a crafted SQL query with a leaky operator to disclose potentially sensitive information. (CVE-2019-10130) last seen 2020-06-01 modified 2020-06-02 plugin id 125264 published 2019-05-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125264 title PostgreSQL 9.4.x < 9.4.22 / 9.5.x < 9.5.17 / 9.6.x < 9.6.13 / 10.x < 10.8 / 11.x < 11.3 Multiple vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_065890C3725E11E9B0E16CC21735F730.NASL description The PostgreSQL project reports : PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user able to execute SQL queries with permissions to read a given column could craft a leaky operator that could read whatever data had been sampled from that column. If this happened to include values from rows that the user is forbidden to see by a row security policy, the user could effectively bypass the policy. This is fixed by only allowing a non-leakproof operator to use this data if there are no relevant row security policies for the table. last seen 2020-06-01 modified 2020-06-02 plugin id 124788 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124788 title FreeBSD : PostgreSQL -- Selectivity estimators bypass row security policies (065890c3-725e-11e9-b0e1-6cc21735f730) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2012-1.NASL description This update for postgresql10 fixes the following issues : Security issue fixed : CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034). CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689). Bug fixes: For a complete list of fixes check the release notes. - https://www.postgresql.org/docs/10/release-10-9.html - https://www.postgresql.org/docs/10/release-10-8.html - https://www.postgresql.org/docs/10/release-10-7.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 127752 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127752 title SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2019:2012-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1668.NASL description This update for postgresql96 fixes the following issues : Security issue fixed : - CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 126369 published 2019-07-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126369 title openSUSE Security Update : postgresql96 (openSUSE-2019-1668) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4439.NASL description Dean Rasheed discovered that row security policies in the PostgreSQL database system could be bypassed. For additional information please refer to the upstream announcement at https://www.postgresql.org/about/news/1939/ last seen 2020-06-01 modified 2020-06-02 plugin id 124721 published 2019-05-10 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124721 title Debian DSA-4439-1 : postgresql-9.6 - security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1773.NASL description This update for postgresql10 fixes the following issues : Security issue fixed : - CVE-2019-10164: Fixed buffer-overflow vulnerabilities in SCRAM verifier parsing (bsc#1138034). - CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689). Bug fixes : - For a complete list of fixes check the release notes. - https://www.postgresql.org/docs/10/release-10-9.html - https://www.postgresql.org/docs/10/release-10-8.html - https://www.postgresql.org/docs/10/release-10-7.html This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 126905 published 2019-07-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126905 title openSUSE Security Update : postgresql10 (openSUSE-2019-1773) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1511-1.NASL description This update for postgresql10 fixes the following issues : Security issue fixed : CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689). Bug fixes: For a complete list of fixes check the release notes. - https://www.postgresql.org/docs/10/release-10-8.html - https://www.postgresql.org/docs/10/release-10-7.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 125947 published 2019-06-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125947 title SUSE SLED12 / SLES12 Security Update : postgresql10 (SUSE-SU-2019:1511-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1578.NASL description This update for postgresql10 fixes the following issues : Security issue fixed : - CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689). Bug fixes : - For a complete list of fixes check the release notes. - https://www.postgresql.org/docs/10/release-10-8.html - https://www.postgresql.org/docs/10/release-10-7.html This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 126039 published 2019-06-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126039 title openSUSE Security Update : postgresql10 (openSUSE-2019-1578) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1687-1.NASL description This update for postgresql96 fixes the following issues : Security issue fixed : CVE-2019-10130: Prevent row-level security policies from being bypassed via selectivity estimators (bsc#1134689). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126238 published 2019-06-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126238 title SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2019:1687-1)